Background
I have two webshpere apps
- app1 on http://example.com:9080/app1
- app2 on http://example.com:9081/app2
(installed on two separate profiles, and both the ports and context roots are different)
Scenario
- When logging into app1, users get a JSESSIONID cookie X
- When logging into app2 in another browser tab (IE8) user gets a JESSSIONID cookie Y
Problem
- When logging into app2, the JSESSIONID cookie value Y overwrites the value X, thus invalidation the session of app1 (user is thrown back to login page if they do anything)
Question
- Is that the default behavior? it looks weird that two web apps can share a JSESSIONID cookie
- Is there a way to configure the two web apps to have JSESSIONID cookie isolation?
Best Answer
Those two apps are unaware of each other since they're in separate profiles. So I expect the second one sees a session ID it doesn't recognize, assumes it's an expired one, and creates a new one.
You can change one of the application's cookie name to something other than JSESSIONID or you can change its path so that it is only sent back for /app1 or /app2.
Either server-wide under
Servers
> Server name >Session Management
>Enable Cookies
or for the particular application(s) underEnterprise Applications
> Application name >Session Management
>Enable Cookies
. If you choose the latter, you have to also checkOverride session management
.